TUCoPS :: Web :: PHP :: web5023.htm

CwpApi.php - GetRelativePath() returns paths outside of the HTTP ServerRoot
23th Jan 2002 [SBWID-5023]
COMMAND

	GetRelativePath() in  CwpApi.php  returns  paths  outside  of  the  HTTP
	ServerRoot

SYSTEMS AFFECTED

	 All versions prior to and including CwpApi-1.1.0, any platform

PROBLEM

	In ACD Incorporated Security Advisory :
	

	CwpApi can return a path via GetRelativePath() that is outside the  HTTP
	server root. This happens because the code checked only to  see  if  the
	server root was mentioned in the path, not whether the actual  directory
	fell under the server root. For example: a path  of  /etc/var/www/myfile.file
	would be considered valid if the server root directory is /var/www.
	

	If the directory is not below the server root, the directory  is  forced
	beneath the  server  root.  For  example  /etc/var/www/myfile.file  will
	become /var/www/etc/var/www/myfile.file.

SOLUTION

	Update to version 1.1.1
	

	http://sourceforge.net/projects/cwpapi/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH